cbcvebase.
CVE-2018-9248
published 2018-04-04

CVE-2018-9248: FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass via a "Cookie: Name=0admin" header.

PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.25%
96.4th percentile
FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass via a "Cookie: Name=0admin" header.

Detection & IOCsextracted from sources · hover to see the quote

cookieName=0admin
urlhttp://192.168.10.1/
  • Detect HTTP requests containing the hardcoded bypass cookie 'Name=0admin' in the Cookie header, which grants unauthenticated access to the FiberHome HG 150-UB admin interface.
  • The device's HTTP response to unauthenticated requests returns two concatenated HTTP/1.1 200 responses — the first containing 'Set-Cookie: Name=; path=/' and a redirect to login.html, followed immediately by the actual homepage content. Detecting this malformed double-response pattern can identify vulnerable devices.
  • Server banner 'micro_httpd' in HTTP responses can help fingerprint FiberHome HG 150-UB devices exposed to this authentication bypass.
  • ·The bypass relies on a hardcoded, plaintext cookie value. The default gateway IP 192.168.10.1 is used in the exploit but may vary per deployment; the cookie-based bypass applies regardless of the device's IP address.
  • ·A second bypass vector exists via response-splitting/improper session handling: stripping the redirect JavaScript from the first HTTP response body grants access without any cookie manipulation, making cookie-only detection insufficient to cover all attack paths.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.